Uber's github slip up

Background : Uber or one of its contractors uploaded a security key to a public github gist. Malicious actors were able to use the key to access the database and made away with personal details of 50,000 Uber drivers. Article here.

This is one of those pesky little problems with version control. Passwords have to be stored in config files which have to ship with the code. This is a problem with small open source projects with only a few collaborators often times working on only 1 master branch. Due to the small scale, it is not feasible to set up automated CI servers to run scripts to detect such slip ups. How then do we prevent it from happening?

I must admit that it has happened to me once before. I accidentally committed a mysql user account and password into a pubic github repo. Fortunately, I realised it a few days later and managed to change the password (hopefully no one noticed it). This got me thinking about how to prevent a repeat of such an incident.

1
2
3
4
5
    $ cat ../../projA-secrets.txt
    -----BEGIN RSA PRIVATE KEY-----
    -----BEGIN DSA PRIVATE KEY-----
    p@55w0rd
    s3cr3tK3y

So, the first step is to maintain a list of all secret keys and passwords for that project in a text file outside the root of the project directory. People might argue that it is unsafe to store all your passwords in a text file. But my response is that it is simply security by obscurity. The passwords are already stored in plaintext nested somewhere within the project, an experienced adversary would know where to look so it doesn't compromise much of security. If you really want to, you could name the file projA-README.txt or something.

1
    grep -HFf ../../projA-secrets.txt *

The shell command above would recursively search and output a list of file names and the corresponding line number which contain any line in the secrets file. Therefore, by running this command before committing, you will be able to double check that you have removed all secrets. You can include this command into a pre-commit hook to make sure that it gets run before every commit.

Ever since that incident more than a year ago, I have never made the same mistake again.